Capita’s £14m data breach fine — a wake-up call for UK organisations

On 15 October 2025, the Information Commissioner’s Office (ICO) announced a hefty £14m penalty against Capita and its subsidiary Capita Pensions Solutions — the largest fine ever issued by the ICO for a ransomware-related data breach — following a March 2023 cyber-attack that exposed the personal data of more than six million people.

Here, Eleanore Beard and Esme Steiger explore how weak cybersecurity and slow responses can trigger these major breaches and resulting fines — underscoring the need for swift action, strong safeguards and compliance with data protection regulations.

What happened & when

The cyber-attack started on 22 March 2023 when an employee unintentionally downloaded a malicious file. Although a high-priority security alert was raised within ten minutes, the compromised device wasn’t quarantined until 24 March — 58 hours after the initial alert. This gave the attackers significant time to exploit the systems. By 31 March 2023, ransomware was deployed that locked the staff out of the internal systems. 

The attack had severe consequences for both Capita entities. It affected millions of personal data records including pension records, employment records, customer data, financial data and special category data like criminal records and health information. 

Capita Pensions Solutions — the subsidiary that handles data for pension scheme organisations — saw 325 of its 600 client organisations affected by the breach.

ICO’s response to the data breach

The ICO received 93 complaints from Capita employees who experienced anxiety and stress after their personal data was exposed. 

Following its investigation, the ICO stated that Capita had “failed to ensure security of processing personal data” and lacked the “appropriate technical and organisational measures to effectively respond to the attack”.

The investigation found that Capita had failed to implement a tiering model for administrative records which allowed the attacker to escape privileges across multiple domains. 

Capita had also “failed to respond appropriately to security alerts” by taking 58 hours to act and quarantine the compromised device — far exceeding the target response time of one hour. 

Additionally, Capita’s systems hadn’t undergone penetration testing since they were commissioned, leaving them vulnerable and unprepared for cyber-attacks. 

To reflect the seriousness of the data breach, the ICO initially planned to fine Capita £45m. However, due to Capita’s cooperation and its post-breach remediation efforts — such as providing support for affected employees and engaging with the National Cyber Security Centre to improve its data systems — the ICO reduced the fine to £14m.

Lessons for UK organisations

The cyber-attack and the resulting ICO response and fining of Capita serves as a stark reminder of what a worst-case scenario can look like for UK companies. 

The lessons from the Capita cyber-attack underscore the importance of proactive cybersecurity measures, timely incident response and transparent communication with regulators and affected individuals.

With the recent high-profile cyber-attacks at Jaguar Land Rover, M&S, Co-op and Harrods, the message is clearer than ever — organisations must prioritise resilience and readiness. 

This includes looking at establishing: 

• Robust cybersecurity frameworks.
• Strong safeguards for protecting personal data.  
• Swift incident response protocols.
• Continuous monitoring and penetration testing to detect suspicious activity and recognise vulnerabilities.
• Compliance with data protection regulations.

Talk to us

The ICO has made it clear that “no organisation is too big to ignore its responsibilities”. As cyber threats continue to evolve, organisations must be equipped to respond swiftly and effectively — and legal guidance is essential. 

Our specialist cybersecurity lawyers advise on the full life cycle of incidents — from building resilience by developing proactive governance and risk management measures to assisting with incident response management and disclosure to the NCSC and ICO. 

Are you up to date with your GDPR training obligations? Our specialist training covers everything from compliance reviews to tailored action plans. We also support you with rights requests, complaints, SARs and ICO interactions. Training is available via workshops, seminars, webinars and more — on-site or online.

Talk to us by giving us a call on 0333 004 4488, sending us an email at hello@brabners.com or completing our contact form below.